code-to-diagram

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md Analysis Strategy explicitly instructs cloning GitHub repos with git clone <url> and then scanning/reading the codebase, meaning the agent fetches and interprets arbitrary public, user-generated repository content (GitHub) which can materially influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs runtime clones via "git clone --depth 1 /tmp/repo-name", fetching arbitrary remote repository contents that are then read/analyzed and injected into the agent's workflow (i.e., the fetched content directly controls the agent's input), so this external URL pattern is a required runtime dependency that can control prompts.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill instructs creating a Puppeteer config that disables Chromium sandboxing ("--no-sandbox", "--disable-setuid-sandbox"), which explicitly bypasses a security mechanism even though it doesn't request sudo or user creation.